FROMDEV

Common Azure DevOps Vulnerabilities and How to Avoid Them

Common Azure DevOps Vulnerabilities and How to Avoid Them

DevOps makes it easier and faster for organizations to design, develop, review, test, and deploy services to production than conventional software development organizations. This is achieved through collaboration among different teams and tools.

DevOps combines several processes to enable seamless collaboration and software product maintenance. Several organizations have started using DevOps to accelerate software development and release. As a result, security issues have simultaneously popped up, which also have to be tackled. You can use several tools for this. DevSecOps maintains security practices and follows guidelines at every stage of the software development process.

Challenges of DevOps Security

Sometimes, while enabling faster development, security practices are compromised. This creates open-source and security vulnerabilities in the software, prone to attacks like SQL injections, DDoS attacks, Cross-site Request Forgery, etc. On the other hand, security checks and testing slow down the development process, which the team won’t like. However, fixing these issues later in the process requires a lot more time and effort, thus increasing the delay in the software development lifecycle (SDLC).

DevOps Tools

Softwares around the world today depend on open source libraries maintained by individual maintainers. Though these can accelerate the development process and make it a lot less complicated, they come with their disadvantages—security vulnerabilities, improper access control management, and version deprecations. So whether one uses proprietary or open-source software, they have several issues that hackers can exploit. The development team has to tackle these issues, which ultimately leads to delay. Using specific tools to tackle these issues can prevent some of these delays.

Azure DevOps

There are several Azure DevOps services available that can be integrated with your existing code. Microsoft Azure offers Azure Boards, Pipelines, Repos, Artifacts, the extensions marketplace, and Azure Test Plans. Azure Pipelines lets you use continuous integration and continuous deployment for deploying your applications to the cloud. You can connect from a local git or an existing repository on GitHub. You can use several community-built extensions with Microsoft Azure to identify potential security threats in the code and used libraries.

Integrating Security to Your CI/CD Pipelines

DevOps is essential for organizations that scale their software, as it makes developing, testing, and deploying applications easier and faster. However, you cannot compromise safety for speed. It is important to identify security threats in the continuous integration pipeline itself so that secure applications are deployed faster. Security protocols must be complied with at every step of the development process.

Several tools can be applied at different stages of the development process, like pull requests via self-hosting open source vulnerability checkers, marketplace integrations to the Azure Pipeline, and final deployment.

You can conduct DAST (dynamic application security testing) with OWASP ZAP. It gives you a report that includes the results of the builds that are available in the log. The status of the bugs is available as well. It gets updated to ‘resolved’ once the issues are resolved. To understand how this can be done, we will be creating a test app with Python and Flask.

Create a folder python_web_app and create an app.py file with the following code:

from flask import Flask

app = Flask(__name__)

@app.route(“/”)

def home():

return “This is a test python web app!”

Next, specify dependencies in requirements.txt:

Flask==1.1.2

Your azure-pipelines.yml will look like this:

trigger:

– main

variables:

creation

azureServiceConnectionId: ’00c3f1ce-6f7c-41b4-a1bc-57fc08a4e472′

webAppName: ‘PythonWebApplication’

vmImageName: ‘ubuntu-latest’

environmentName: ‘PythonWebApplication’

manage.py file.

projectRoot: $(System.DefaultWorkingDirectory)

# Python version: 3.7

pythonVersion: ‘3.7’

stages:

– stage: Build

displayName: Build stage

jobs:

– job: BuildJob

pool:

vmImage: $(vmImageName)

steps:

– task: UsePythonVersion@0

inputs:

versionSpec: ‘$(pythonVersion)’

displayName: ‘Use Python $(pythonVersion)’

– script: |

python -m venv antenv

source antenv/bin/activate

python -m pip install –upgrade pip

pip install setup

pip install -r requirements.txt

workingDirectory: $(projectRoot)

displayName: “Install requirements”

– task: ArchiveFiles@2

displayName: ‘Archive files’

inputs:

rootFolderOrFile: ‘$(projectRoot)’

includeRootFolder: false

archiveType: zip

archiveFile: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip

replaceExistingArchive: true

– upload: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip

displayName: ‘Upload package’

artifact: drop

– stage: Deploy

displayName: ‘Deploy Web App’

dependsOn: Build

condition: succeeded()

jobs:

– deployment: DeploymentJob

pool:

vmImage: $(vmImageName)

environment: $(environmentName)

strategy:

runOnce:

deploy:

steps:

– task: UsePythonVersion@0

inputs:

versionSpec: ‘$(pythonVersion)’

displayName: ‘Use Python version’

– task: AzureWebApp@1

displayName: ‘Deploy Azure Web App : PythonWebApplication’

inputs:

azureSubscription: $(azureServiceConnectionId)

appName: $(webAppName)

package: $(Pipeline.Workspace)/drop/$(Build.BuildId).zip

You can find the Python_web_app and renovate-docker repositories on GitHub.

DevSecOps with Azure DevOps

Git secrets

Editor plugins can be used before committing code to the repository. At this stage, access tokens, storage account keys, and API access keys are identified. Git secrets is a pre-commit hook that does away with the need for committing passwords and access tokens to a repository.

Here’s how you can configure it:

Git clone https://github.com/awslabs/git-secrets.git

Cd git-secrets

Make install

If required, use sudo make install for installation.

Enable it on your repository:

cd Python_web_app

git secrets –install

git secrets –register-aws

Try!

Scan all files in the repo:

git secrets –scan

If you want to check only a certain file in your repository for secrets, use:

git secrets –scan FILE_PATH

With git secrets –scan -r /path/to/directory, you can scan a complete directory recursively for secrets.

Open Source Security Vulnerabilities

Your code may include several dependencies, e.g., third-party components, open-source libraries. Versions of these libraries will get deprecated with time. This has to be monitored so that the code can be updated accordingly on time. Security issues have to be checked constantly. You also need to identify problems related to open source licensing. There are tools that can help with all or some of these issues. Some of them include WhiteSource and Veracode.

WhiteSource Bolt

I personally love the free WhiteSource Bolt extension for Azure DevOps. It provides a detailed report on the severity of the security threats and suggests fixes. It also identifies open source licensing risks for third-party libraries. You can integrate it into your GitHub repository as well as your Azure DevOps pipeline.

Veracode

Veracode allows users to manage all security issues from a single place. It can be used with Azure Pipelines by installing the Veracode marketplace extension with your Azure DevOps organization. It identifies security threats early in the development process and allows you to stop the build and release if a critical security risk is detected. It also suggests fixes to remove the vulnerabilities.

Conclusion

If security vulnerabilities are identified at the later stages of the software development life cycle, it may cost a lot to fix them, way more than what would have been spent if the security issues had been detected at earlier stages. Hence, it is important for every organization developing software, to not only test their software for functionality but also scan for security and open source vulnerabilities as well before deploying it to production.

Exit mobile version